On the Friday before the Memorial Day Holiday, the FBI’s Internet Crime Complaint Center sent an important warning about a virus affecting home and office internet routers, the devices that we all use to negotiate the Internet. Many will recall 2001: A Space Odyssey with the red-eyed Cyclops HAL 9000. But now we learn the thing that is hooked up to our home computers with the blinking column of green dots can mask a similar malevolence.
The virus that prompted the FBI warning is the so-called “VPN filter malware.” It can render routers inoperable but also can steal information, including website credentials, that pass through a router and forward the data to a hacker site.
VPNFilter is being analyzed by Talos, Cisco’s threat intelligence division, which estimates that at least a half million routers across the globe may be vulnerable to the malware and may have been infected. Among the affected networking equipment identified by Talos are routers made by Linksys, Microtech, Netgear and TP-Link.
Even though its analysis was incomplete, Talos chose to publish its findings on VPNFilter because of the danger it poses, and because its features overlap with the “BlackEnergy” malware that has been used to target devices in the Ukraine. Talos is reporting that the VPNFilter is also “actively infecting Ukrainian hosts at an alarming rate.”
The Talos report also cautions that many of the devices under attack are on the perimeters of computer systems and lack intrusion protection features as well as host-based anti-virus software to protect them from this malware. Further technical details of VPNFilter are available in the Talos report, and we can expect that to be supplemented as its investigation proceeds.
For now, we should execute protective steps on all our routers. The FBI is recommending that the owners of small office and home office routers reboot the devices. Rebooting your router is much easier than what Dave had to do to disable HAL in the movie. It involves a simple step that many of us have had to do in response to other service interruptions. You simply disconnect the router from its power source, wait about 30 seconds, reconnect, and that should trigger a reboot which will disrupt the operation of VPNFilter.
The reboot will ensure that, if VPNFilter has infected your router, code designed to command the router to steal data will be unloaded. With apologies for mixing movie metaphors, rebooting will prevent your router from “phoning home” and transmitting your data back to the hacker site.
However, there is one other step to completely eradicate VPNFilter, because one part of its code will not be removed by rebooting the router. To completely eradicate it, you will need to follow your router manufacturer’s instructions to reset the router back to factory defaults and update the firmware that is loaded on it. Those steps are described in detail in the following article published this week by Lawrence Abrams on his Bleeping Computer site. This article also has embedded links to manufacturer websites where you can find detailed instructions on specific steps for several common router types.
By following these steps, you’ll decouple your router from a malicious network that is posing a threat around the world.